'Sabotage-as-a-Service': The New Frontier of Hybrid Warfare

In May 2024, Polish prosecutors charged nine individuals with conducting sabotage operations on behalf of Russian intelligence officers.¹ The group, active on Telegram, was tasked with disrupting railways, fuel depots, and logistics hubs. In the months that followed, the investigation expanded to encompass dozens of suspects spread across Poland, Czechia, and Lithuania.² In Lithuania, fifteen individuals were indicted for preparing attacks with package bombs dispatched through international courier services.³

These groups employed simple means in combination with drones, hoping to strike critical infrastructure without requiring military training.

What once demanded months of preparation by intelligence services can now be outsourced to freelancers with a phone and a payment request. Sabotage has been democratized: not secret agents in dark alleyways, but students, drivers, and contractors who execute small, anonymous tasks for pay.

‍

The arrests across Central and Eastern Europe illustrate how hybrid warfare is evolving into a modular ecosystem. Where espionage was once coordinated hierarchically, sabotage is now delegated to 'proxies' who execute actions through anonymous messages without understanding the larger objective.

This approach—often called "deniable disruption"—fits into a broader Russian strategy of controlled destabilization.⁴ Small, dispersed actions produce disproportionate effects: fires at distribution centers, temporary power outages, logistical delays. Much like the evolution of cybercrime toward ransomware-as-a-service, we are witnessing the emergence of a physical equivalent.

European authorities warned of this trend last year, noting that sabotage is no longer exclusively state-sponsored: extremist actors and organized crime are also adopting the methodology.⁵ This makes the threat not only more dangerous but also more diffuse—a hybrid network of freelancers that cannot be identified as a conventional military force.

The Netherlands occupies a logical position within this new ecosystem. Our open infrastructure, international energy position, and complex supply chains create a unique vulnerability.

The energy sector stands at the center of this concern, particularly because of:

Supply chain dependencies: A compromised supplier, sabotage at a compression station, or failure of a single data center could destabilize the national energy network.

Insider threats: Temporary contractors, cleaning services, and technicians with facility or system access serve as unknowing connection points.

Via Telegram, cryptocurrency payments are used to hire civilians for small tasks—"place this package," "film this location"—without their realizing they are part of a sabotage operation.

The AIVD's annual report confirms that Russian pre-positioning around energy and telecommunications infrastructure in the Netherlands has been detected.⁴ The EU SOCTA 2025 report similarly identifies sabotage and physical infiltration of logistics chains as an emerging category within organized crime.⁵ For Dutch energy companies, this means traditional security models—fences, cameras, access controls—are no longer sufficient. The vulnerability no longer lies in steel or code, but in behavior, trust, and supply chain integrity.

Modern sabotage demands a new definition of resilience: physical, digital, and socio-organizational.

For energy companies, three critical routes emerge:

Adversary-Focused Scenario Analysis

Conduct red-team exercises with external specialists that simulate realistic sabotage scenarios: how can someone with minimal resources create maximum disruption? Test physical locations, suppliers, and maintenance processes.

Chain Due Diligence as Standard Practice

Develop integrity checks for all subcontractors. Explicitly ask suppliers whether they accept cryptocurrency payments. Monitor who has access to SCADA and remote-control systems. Schedule quarterly audits of high-risk supply chain partners.

Building Social Resilience on the Shop Floor

Train personnel to recognize anomalous behavior: unusual photography, unexplained packages, or sudden interest in technical details. Half an hour of quarterly training can be the difference between an incident and early detection.

Proximities supports organizations through integrated resilience programs: from threat assessments and real-time monitoring to Security by Design methodologies that anticipate future hybrid threats.⁶

Sabotage in 2025 is not a spy novel but a spreadsheet full of microtasks. For organizations managing critical supply chains, the question is not how large the threat is, but how small it can begin—and who within your organization will spot it first.

¹ Notes from Poland, 'Poland charges nine people suspected of sabotage on behalf of Russia', 21 May 2024.

² NGL Media, 'Puppets from the Telegram', 11 July 2024.

³ BBC News, 'Lithuania charges 15 over alleged Russian-backed parcel bombs', 18 September 2024.

⁴ AIVD, Annual Report 2024 – Hybrid Threats and State Actors.

⁵ EU-SOCTA, 'EU serious and organised crime threat assessment', 27 May 2024; European Commission, EU-Versus-Crime Conference Speech by Commissioner Johansson, 7 June 2024.

⁶ Proximities, Security by Design – Methodology for Critical Infrastructure Projects, 2024.